The National Health Stack: An Expensive, Temporary Placebohttp://editors.cis-india.org/internet-governance/blog/bloomberg-quint-august-6-2018-murali-neelakantan-swaraj-barooah-swagam-dasgupta-torsha-sarkar-national-health-stack-an-expensive-temporary-placebo
<b>The year 2002 saw the introduction of a very ambitious National Program for Information Technology in the United Kingdom with the goal to transform the National Health Service — a pre-existing state-sponsored universal healthcare program. This would include a centralised, digital healthcare record for patients and secure access for 30,000 professionals across 300 hospitals.</b>
<blockquote class="pullquote">The article was published by <a class="external-link" href="https://www.bloombergquint.com/opinion/2018/08/06/the-national-health-stack-an-expensive-temporary-placebo#gs.HBtyGYA">Bloomberg Quint</a> on August 6, 2018.</blockquote>
<hr />
<p style="text-align: justify; ">However, the next ten years would see the scheme meet with constant criticism about its poor management and immense expenditure; and after a gruelling battle for survival, including spending £20 billion and having top experts on board, the NPfIT finally met its end in 2011.</p>
<p style="text-align: justify; ">Fast forward eight years — the Indian government’s public policy think tank, NITI Aayog, is proposing an eerily similar idea for the much less developed, and much more populated Indian healthcare sector. On July 6, the NITI Aayog released a <a href="http://niti.gov.in/writereaddata/files/document_publication/NHS-Strategy-and-Approach-Document-for-consultation.pdf" target="_blank">consultation paper</a> to discuss “a digital infrastructure built with a deep understanding of the incentive structures prevalent in the Indian healthcare ecosystem”, called the National Health Stack. The paper identifies four challenges that previous government-run healthcare programs ran into and that the current system hopes to solve. These include:</p>
<ul>
<li>low enrollment of entitled beneficiaries of health insurance,</li>
<li>low participation by service providers of health insurance,</li>
<li>poor fraud detection,</li>
<li>lack of reliable and timely data and analytics.</li>
</ul>
<p style="text-align: justify; ">The current article takes a preliminary look at the goals of the NHS and where it falls behind. Subsequent articles will break down the proposed scheme with regard to safety, privacy and data security concerns, the feasibility of data analytics and fraud detection, and finally, the role of private players within the entire structure.</p>
<p>The primary aim of any digital health infrastructure should be to compliment an existing, efficient healthcare delivery system.</p>
<blockquote>As seen in the U.K., even a very well-functioning healthcare system doesn’t necessarily mean the digitisation efforts will bear fruit.</blockquote>
<p style="text-align: justify; ">The NHS is meant to be designed for and beyond the Ayushman Bharat Yojana — the government’s two-pronged healthcare regime that was introduced on Feb. 1. Unfortunately, though, India’s healthcare regime has long been in the need of severe repair, and even if the Ayushman Bharat Yojana works optimally, there are no indications to show that this will miraculously change by their stated target of 2022. Indeed, experts predict it would take at least a ten-year period to successfully implement universal health coverage. A 2013 report by EY-FICCI stated that we must consider a ten-year time frame as well as allocating 3.5-4.7 percent of the GDP to health expenditure to achieve universal health coverage.</p>
<p>However, as per the current statistics, the centre’s allocation for health in the 2017-18 budget is Rs 47,353 crore, which is 1.15 percent of India’s GDP.</p>
<p><img src="http://editors.cis-india.org/home-images/Patient.jpg" alt="Patient" class="image-inline" title="Patient" /></p>
<p>Patients wait for treatment in the corridor of the Acharya Tulsi Regional Cancer Treatment &amp; Research Institute in Bikaner, Rajasthan, India. (Photographer: Prashanth Vishwanathan/Bloomberg)</p>
<p style="text-align: justify; ">Along with the state costs, India’s current expenditure in the health sector comes to a meagre 1.4 percent of the total GDP, far short of what the target should be. Yet, the government aims to attain universal health coverage by 2022.</p>
<p>In the first of its two-pronged strategy, the Ayushman Bharat Yojana aims to establish 1.5 lakh ‘Health and Wellness Centres’ across the country by 2022, which would provide primary healthcare services free of cost.</p>
<blockquote>However, the total fund allocated for ’setting up’ these centres is only Rs 1,200 crore, which comes down to a meagre Rs 80,000 per centre.</blockquote>
<p style="text-align: justify; ">It is unclear whether the government plans to establish new sub-centres, or improve the existing ones. Either way, a pittance of Rs 80,000 is grossly insufficient. As per reports, among the 1,56,231 current health centres, only 17,204 (11 percent) have met Indian Public Health Standards as of March 31, 2017. Shockingly, basic amenities like water and electricity are scarce, if not, absent in a substantial number of these centres.</p>
<p>At least 6,000 centres do not have a female health worker, and at least 1,00,000 centres do not have a male health worker.</p>
<p><img src="http://editors.cis-india.org/home-images/Woman.jpg" alt="Woma" class="image-inline" title="Woma" /></p>
<p>A woman holds a child in the post-delivery ward of the district hospital in Jind, Haryana, India. (Photographer: Prashanth Vishwanathan/Bloomberg)</p>
<p>Even taking the generous assumption that the existing 17,204 centres are in top condition, the future of the rest of these health and wellness centres continues to be bleak.</p>
<p style="text-align: justify; ">In truth, both limbs of the Ayushman Bharat strategy remain oblivious to the reality of the situation. The goals do not take into account the existing problems within access to healthcare, nor the relevant economic and social indicators that depict a contrasting reality.</p>
<blockquote>Therefore, the fundamental question remains: if there is no established, well-functioning healthcare delivery system to support, what will the NHS help?</blockquote>
<p><img src="http://editors.cis-india.org/home-images/BitterPill.jpg" alt="Bitter Pill" class="image-inline" title="Bitter Pill" /></p>
<h3>NHS: What Purpose Does It Serve?</h3>
<p style="text-align: justify; ">The ambitious scope of the National Health Stack consultation paper aside, the central problem plaguing the Indian healthcare system, i.e, delivery, and access to healthcare, remains unaddressed. The first two problems that the NHS aims to solve focus solely on increasing health insurance coverage. However, very problematically, the document does not explicitly mention how a digital infrastructure would lead to rising enrollment of both beneficiaries and service providers of insurance.</p>
<p>This goal of increasing enrollment without a functioning healthcare system could result in two highly problematic scenarios.</p>
<blockquote>Either health and wellness centres will effectively act as enrollment agencies rather than providers of healthcare, or the government would fall back on its ‘Aadhar approach’ and employ external enrollment agents.</blockquote>
<p style="text-align: justify; ">The former approach runs a very real risk of the health and wellness centres losing focus on their primary purpose even while statistics show them as functioning centres – thus negatively impacting even the working centres. The latter approach is at a higher risk of running into problems akin to the case of Aadhaar enrollment, such as potential data leakages, identity thefts and a market for fake IDs. Even if we somehow overlook this and assume that the NHS would help increase insurance coverage without additional problems, the larger question still stands: should health insurance even be the primary goal of the government, over and above providing access to healthcare? And what effect will this have on the actual delivery of healthcare services to the common citizen?</p>
<p><img src="http://editors.cis-india.org/home-images/LonePatient.jpg" alt="Lone Patient" class="image-inline" title="Lone Patient" /></p>
<p>A lone patient sleeps in the post operation recovery ward of the district hospital in Jind, Haryana, India. (Photographer: Prashanth Vishwanathan/Bloomberg)</p>
<h3>Should Insurance Be A Primary Objective Of The Indian Government?</h3>
<p style="text-align: justify; ">Simply put, the answer is no, because greater insurance coverage need not necessitate better access to healthcare. In recent years, health insurance in India has been rising rapidly due to government-sponsored schemes. In the fiscal year 2016-17, the health insurance market was prized to be worth Rs 30,392 crore. Even with such large investments in insurance premiums, the insurance market accounts for lesser than 5 percent of the total health expenditure.</p>
<blockquote>Furthermore, previous experiences with government-sponsored health insurance schemes have proven that there is little merit to such an expensive task.</blockquote>
<p style="text-align: justify; ">For instance, the government’s earlier health insurance scheme, Rashtriya Swasthya Bima Yojana, was predicted to be unable to completely provide ‘accessible, affordable, accountable and good quality health care’ if it focussed only on “increasing financial means and freedom of choice in a top-down manner”.</p>
<p style="text-align: justify; ">These traditional insurance-based models are characterised by problems of information asymmetry such as ‘moral hazard’ — patients and healthcare providers have no incentive to control their costs and tend to overuse, resulting in an unsustainable insurance system and cost inflation. Any attempt to regulate providers is met with harsh, cost-cutting steps which end up harming patients.</p>
<p style="text-align: justify; ">On another note, some diseases which are responsible for the most number of deaths in the country — including ischaemic heart diseases, lower respiratory tract infections, chronic obstructive pulmonary disease, tuberculosis and diarrhoeal diseases — are usually chronic conditions that need outpatient consultation, resulting in out-of-pocket expenses.</p>
<p><img src="http://editors.cis-india.org/home-images/CancerHospital.jpg" alt="Cancer Hospital" class="image-inline" title="Cancer Hospital" /></p>
<p>Patients wait at the Head and Neck Cancer Out Patient department of Tata Memorial Hospital in Mumbai, India. (Photographer: Prashanth Vishwanathan/Bloomberg News)</p>
<p style="text-align: justify; ">Even though the government has added non-communicable diseases under the ambit of the health and wellness centres, there are still reports stating that for some of the most impoverished, their reality is that 80 percent of the time, they have to cover their expenses from their pocket. This issue in all probability will continue to exist since the status and likelihood for these centres to be successful itself is questionable.</p>
<blockquote>It is clear, that in the current scheme of things, this traditional insurance model of healthcare cannot benefit those it is meant for.</blockquote>
<p style="text-align: justify; ">If this is the case, why has the NHS built its main objectives around insurance coverage rather than access to healthcare? It is imperative that we question the legitimacy of these goals, especially if they indicate the government's intentions to push health insurance via the NHS above its responsibility of delivering healthcare. The government's thrust for a digital infrastructure shows tremendous foresight, but at what cost? Even the clear goal of healthcare data portability has very little benefit when one understands that this becomes an important goal only when one has given up on ensuring widespread accessible healthcare. Once the focus shifts from using technology needlessly to developing an efficient and universally accessible healthcare delivery system, the need for data portability dramatically reduces. The temptation of digitisation and insurance coverage cannot and should not blind us from the main goal — access to healthcare. The one lesson that we must learn from the case of the U.K. is that even with a well-functioning healthcare delivery system, a digital infrastructure must be introduced very thoughtfully and carefully. In our eagerness to leapfrog with technology, we must not mistake a placebo for a panacea.</p>
<hr />
<p><i>Murali Neelakantan is an expert in healthcare laws. Swaraj Barooah is Policy Director at The Centre for Internet and Society. Swagam Dasgupta and Torsha Sarkar are interns at The Centre for Internet and Society.</i></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/bloomberg-quint-august-6-2018-murali-neelakantan-swaraj-barooah-swagam-dasgupta-torsha-sarkar-national-health-stack-an-expensive-temporary-placebo'>http://editors.cis-india.org/internet-governance/blog/bloomberg-quint-august-6-2018-murali-neelakantan-swaraj-barooah-swagam-dasgupta-torsha-sarkar-national-health-stack-an-expensive-temporary-placebo</a>
</p>
No publisherMurali Neelakantan, Swaraj Barooah, Swagam Dasgupta, and Torsha SarkarInternet GovernanceInformation Technology2018-08-13T15:13:10ZBlog EntryAnti-trafficking Bill may lead to censorshiphttp://editors.cis-india.org/internet-governance/blog/livemint-july-24-2018-swaraj-barooah-and-gurshabad-grover-anti-trafficking-bill-may-lead-to-censorship
<b>There are a few problematic provisions in the proposed legislation—it may severely impact freedom of expression.</b>
<p class="S3l" style="text-align: justify; ">The article was published in <a class="external-link" href="https://www.livemint.com/Opinion/GxZ795DUjW3fFrFcWcWp6N/Antitrafficking-Bill-may-lead-to-censorship.html">Livemint</a> on July 24, 2018.</p>
<hr />
<p class="S3l" style="text-align: justify; ">The legislative business of the monsoon session of Parliament kicked off on 18 July with the introduction of the Trafficking of Persons (Prevention, Protection and Rehabilitation) Bill, 2018, in the Lok Sabha. The intention of the Union government is to “make India a leader among South Asian countries to combat trafficking” through the passage of this Bill. Good intentions aside, there are a few problematic provisions in the proposed legislation, which may severely impact freedom of expression.</p>
<p style="text-align: justify; ">For instance, Section 36 of the Bill, which aims to prescribe punishment for the promotion or facilitation of trafficking, proposes a minimum three-year sentence for producing, publishing, broadcasting or distributing any type of material that promotes trafficking or exploitation. An attentive reading of the provision, however, reveals that it has been worded loosely enough to risk criminalizing many unrelated activities as well.</p>
<p style="text-align: justify; ">The phrase “any propaganda material that promotes trafficking of person or exploitation of a trafficked person in any manner” has wide amplitude, and many unconnected or even well-intentioned actions can be construed to come within its ambit as the Bill does not define what constitutes “promotion”. For example, in moralistic eyes, any sexual content online could be seen as promoting prurient interests, and thus also promoting trafficking.</p>
<p style="text-align: justify; ">Rather than imposing a rigorous standard of actual and direct nexus with the act of trafficking or exploitation, a vaguer standard which includes potentially unprovable causality, including by actors who may be completely unaware of such activity, is imposed. This opens the doors to using this provision for censorship and<b> </b>imposes a chilling effect on any literary or artistic work which may engage with sensitive topics, such as trafficking of women.</p>
<p style="text-align: justify; ">In the past, governments have been keen to restrict access to online escort services and pornography. In June 2016, the Union government banned 240 escort sites for obscenity even though it cannot do that under Section 69A or Section 79 of the Information Technology Act, or Section 8 of the Immoral Traffic (Prevention) Act. In July 2015, the government asked internet service providers (ISPs) to block 857 pornography websites sites on grounds of outraging “morality” and “decency”, but later rescinded the order after widespread criticism. If historical record is any indication, Section 36 in this present Bill will legitimize such acts of censorship.</p>
<p style="text-align: justify; ">Section 39 proposes an even weaker standard for criminal acts by proposing that any act of publishing or advertising “which <i>may </i>lead to the trafficking of a person shall be punished” (emphasis added) with imprisonment for 5-10 years. In effect, the provision mandates punishment for vaguely defined actions that may not actually be connected to the trafficking of a person at all. This is in stark contrast to most provisions in criminal law, which require <i>mens rea </i>(intention) along with <i>actus reus </i>(guilty act). The excessive scope of this provision is prone to severe abuse, since without any burden of showing a causal connect, it could be argued that anything “may lead” to the trafficking of a person.</p>
<p style="text-align: justify; ">Another by-product of passing the proposed legislation would be a dramatic shift in India’s landscape of intermediary liability laws, i.e., rules which determine the liability of platforms such as Facebook and Twitter, and messaging services like Whatsapp and Signal for hosting or distributing unlawful content.</p>
<p style="text-align: justify; ">Provisions in the Bill that criminalize the “publication” and “distribution” of content, ignore that unlike the physical world, modern electronic communication requires third-party intermediaries to store and distribute content. This wording can implicate neutral communication pipeways, such as ISPs, online platforms, mobile messengers, which currently cannot even know of the presence of such material unless they surveil all their users. Under the proposed legislation, the fact that human traffickers used Whatsapp to communicate about their activities could be used to hold the messaging service criminally liable.</p>
<p style="text-align: justify; ">By proposing such, the Bill is in direct conflict with the internationally recognized Manila Principles on Intermediary Liability, and in dissonance with existing principles of Indian law, flowing from the Information Technology Act, 2000, that identify online platforms as “safe harbours” as long as they act as mere conduits. From the perspective of intermediaries, monitoring content is unfeasible, and sometimes technologically impossible as in the case of Whatsapp, which facilitates end-to-end encrypted messaging. And as a 2011 study by the Centre for Internet &amp; Society showed, platforms are happy to over-comply in favour of censorship to escape liability rather than verify actual violations. The proposed changes will invariably lead to a chilling effect on speech on online platforms.</p>
<p style="text-align: justify; ">Considering these problematic provisions, it will be a wise move to send the Bill to a select committee in Parliament wherein the relevant stakeholders can engage with the lawmakers to arrive at a revised Bill, hopefully one which prevents human trafficking without threatening the Constitutional right of free speech.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/livemint-july-24-2018-swaraj-barooah-and-gurshabad-grover-anti-trafficking-bill-may-lead-to-censorship'>http://editors.cis-india.org/internet-governance/blog/livemint-july-24-2018-swaraj-barooah-and-gurshabad-grover-anti-trafficking-bill-may-lead-to-censorship</a>
</p>
No publisherSwaraj Barooah and Gurshabad GroverFreedom of Speech and ExpressionInternet GovernanceCensorship2018-08-02T13:59:16ZBlog EntrySpreading unhappiness equally aroundhttp://editors.cis-india.org/internet-governance/blog/business-standard-july-31-2018-sunil-abraham-spreading-unhappiness-equally-around
<b>The section of civil society opposed to Aadhaar is unhappy because the UIDAI and all other state agencies that wish to can process data non-consensually.</b>
<p>The article was published in <a class="external-link" href="https://www.business-standard.com/article/opinion/spreading-unhappiness-equally-around-118073100008_1.html">Business Standard</a> on July 31, 2018.</p>
<hr />
<p style="text-align: justify; ">There is a joke in policy-making circles — you know you have reached a good compromise if all the relevant stakeholders are equally unhappy. By that measure, the B N Srikrishna committee has done a commendable job since there are many with complaints.</p>
<p style="text-align: justify; ">Some in the private sector are unhappy because their demonisation of the European Union’s General Data Protection Regulation (GDPR) has failed. The committee’s draft data protection Bill is closely modelled upon the GDPR in terms of rights, principles, design of the regulator and the design of the regulatory tools like impact assessments. With 4 per cent of global turnover as maximum fine, there is a clear signal that privacy infringements by transnational corporations will be reigned in by the regulator. Getting a law that has copied many elements of the European regulation is good news for us because the GDPR is recognised by leading human rights organisations as the global gold standard. But the bad news for us is that the Bill also has unnecessarily broad data localisation mandates for the private sector.</p>
<p style="text-align: justify; ">Some in the fintech sector are unhappy because the committee rejected the suggestion that privacy be regulated as a property right. This is a positive from the human rights perspective, especially because this approach has been rejected across the globe, including the European Union. Property rights are inappropriate because a natural law framing of the enclosure of the commons into private property through labour does not translate to personal data. Also in comparison to patents — or “intellectual property” — the scale of possible discreet property holdings in personal information is several orders higher, posing unimaginable complexity for regulation, possibly creating a gridlock economy.</p>
<p style="text-align: justify; ">The section of civil society opposed to Aadhaar is unhappy because the UIDAI and all other state agencies that wish to can process data non-consensually. A similar loophole exists in the GDPR. Remember the definition of processing includes “operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction”. This means the UIDAI can collect data from you without your consent and does not have to establish consent for the data it has collected in the past. There is a “necessary” test which is supposed to constrain data collection. But for the last 10 odd years, the UIDAI has deemed it “necessary” to collect biometrics to give the poor subsidised grain. Will those forms of disproportionate non-consensual data collection continue? Most probably because the report recommends that the UIDAI continue to play the role of the regulator with heightened powers. Which is like trusting the fox with<br />the henhouse.</p>
<p style="text-align: justify; ">Employees should be unhappy because the Bill has an expansive ground under which employers can nonconsensually harvest their data. The Bill allows for non-consensual processing of any data “necessary” for recruitment, termination, providing any benefit or service, verifying the attendance or any other activity related to the assessment of the performance”. This is permitted when consent is not an appropriate basis or would involve disproportionate effort on the part of the employer. This is basically a surveillance provision for employers. Either this ground should be removed like in the GDPR or a “proportionate” test should also be introduced otherwise disproportionate mechanisms like spyware on work computers will be installed by employees without providing notice.</p>
<p style="text-align: justify; ">Some free speech activists are unhappy because the law contains a “right to be forgotten” provision. They are concerned that this will be used by the rich and powerful to censor mainstream and alternative media. On the face of the “right to be forgotten” in the GDPR is a much more expansive “right to erasure”, whilst the Bill only provides for a more limited "right to restrict or prevent continuing disclosure”. However, the GDPR has a clear exception for “archiving purposes in the public interest, scientific or historical research purposes or statistical purposes”. The Bill like the GDPR does identify the two competing human rights imperatives — freedom of expression and the right to information. However, by missing the “public interest” test it does not sufficiently social power asymmetries.</p>
<p style="text-align: justify; ">Privacy and security researchers are unhappy because re-identification has been made an offence without a public interest or research exception. It is indeed a positive that the committee has made re-identification a criminal offence. This is because the de-identification standards notified by the regulator would always be catching up with the latest mathematical development. However, in order to protect the very research that the regulator needs to protect the rights of individuals, the Bill should have granted the formal and non-formal academic community immunity from liability and criminal prosecution.</p>
<p style="text-align: justify; ">Lastly but also most importantly, human rights activists are unhappy because the committee again like the GDPR did not include sufficiently specific surveillance law fixes. The European Union has historically handled this separately in the ePrivacy Regulation. Maybe that is the approach we must also follow or maybe this was a missed opportunity. Overall, the B N Srikrishna committee must be commended for producing a good data protection Bill. The task before us is to make it great and to have it enacted by Parliament at the earliest.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/business-standard-july-31-2018-sunil-abraham-spreading-unhappiness-equally-around'>http://editors.cis-india.org/internet-governance/blog/business-standard-july-31-2018-sunil-abraham-spreading-unhappiness-equally-around</a>
</p>
No publishersunilAadhaarInternet GovernancePrivacy2018-07-31T14:49:52ZBlog EntryLining up the data on the Srikrishna Privacy Draft Billhttp://editors.cis-india.org/internet-governance/blog/economic-times-july-30-2018-sunil-abraham-lining-up-data-on-srikrishna-privacy-draft-bill
<b>In the run-up to the Justice BN Srikrishna committee report, some stakeholders have advocated that consent be eliminated and replaced with stronger accountability obligations. This was rejected and the committee has released a draft bill that has consent as the bedrock just like the GDPR. And like the GDPR there exists legal basis for nonconsensual processing of data for the “functions of the state”. What does this mean for lawabiding persons?</b>
<p>The article was published in <a class="external-link" href="https://economictimes.indiatimes.com/small-biz/startups/newsbuzz/lining-up-the-data-on-the-srikrishna-privacy-draft-bill/articleshow/65192296.cms">Economic Times</a> on July 30, 2018</p>
<hr />
<p style="text-align: justify; ">Non-consensual processing is permitted in the bill as long it is “necessary for any function of the” Parliament or any state legislature. These functions need not be authorised by law.</p>
<p style="text-align: justify; ">Or alternatively “necessary for any function of the state authorised by law” for the provision of a service or benefit, issuance of any certification, licence or permit.<br />Fortunately, however, the state remains bound by the eight obligations in chapter two i.e., fair and reasonable processing, purpose limitation, collection limitation, lawful processing, notice and data quality and data storage limitations and accountability. This ground in the GDPR has two sub-clauses: one, the task passes the public interest test and two, the loophole like the Indian bill that possibly includes all interactions the state has with all persons.</p>
<p style="text-align: justify; ">The “necessary” test appears both on the grounds for non-consensual processing, and in the “collection limitation” obligation in chapter two of the bill. For sensitive personal data, the test is raised to “strictly necessary”. But the difference is not clarified and the word “necessary” is used in multiple senses.</p>
<p style="text-align: justify; ">Under the “collection limitation” obligation the bill says “necessary for the purposes of processing” which indicates a connection to the “purpose limitation” obligation. The “purpose limitation” obligation, however, only requires the state to have a purpose that is “clear, specific and lawful” and processing limited to the “specific purpose” and “any other incidental purpose that the data principal would reasonably expect the personal data to be used for”. It is perhaps important at this point to note that the phrase “data minimisation” does not appear anywhere in the bill.</p>
<p style="text-align: justify; ">Therefore “necessary” could broadly understood to mean data Parliament or the state legislature requires to perform some function unauthorised by law, and data the citizen might reasonably expect a state authority to consider incidental to the provision of a service or benefit, issuance of a certificate, licence or permit.</p>
<p style="text-align: justify; ">Or alternatively more conservatively understood to mean data without which it would be impossible for Parliament and state legislature to carry out functions mandated by the law, and data without it would be impossible for the state to provide the specific service or benefit or issue certificates, licences and permits. It is completely unclear like with the GDPR why an additional test of “strictly necessary” is — if you will forgive the redundancy — necessary.</p>
<p style="text-align: justify; ">After 10 years of Aadhaar, the average citizen “reasonably expects” the state to ask for biometric data to provide subsidised grain. But it is not impossible to provide subsidised grain in a corruption-free manner without using surveillance technology that can be used to remotely, covertly and non-consensually identify persons. Smart cards, for example, implement privacy by design. Therefore a “reasonable expectation” test is not inappropriate since this is not a question about changing social mores.</p>
<p style="text-align: justify; ">When it comes to persons that are not law abiding the bill has two exceptions — “security of the state” and “prevention, detection, investigation and prosecution of contraventions of law”. Here the “necessary” test is combined with the “proportionate” test.</p>
<p style="text-align: justify; ">The proportionate test further constrains processing. For example, GPS data may be necessary for detecting someone has jumped a traffic signal but it might not be a proportionate response for a minor violation. Along with the requirement for “procedure established by law”, this is indeed a well carved out exception if the “necessary” test is interpreted conservatively. The only points of concern here is that the infringement of a fundamental right for minor offences and also the “prevention” of offences which implies processing of personal data of innocent persons.</p>
<p style="text-align: justify; ">Ideally consent should be introduced for law-abiding citizens even if it is merely tokenism because you cannot revoke consent if you have not granted it in the first place. Or alternatively, a less protective option would be to admit that all egovernance in India will be based on surveillance, therefore “necessary” should be conservatively defined and the “proportionate” test should be introduced as an additional safeguard.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/economic-times-july-30-2018-sunil-abraham-lining-up-data-on-srikrishna-privacy-draft-bill'>http://editors.cis-india.org/internet-governance/blog/economic-times-july-30-2018-sunil-abraham-lining-up-data-on-srikrishna-privacy-draft-bill</a>
</p>
No publishersunilInternet GovernancePrivacy2018-07-31T02:52:23ZBlog EntryThe Potential for the Normative Regulation of Cyberspace: Implications for Indiahttp://editors.cis-india.org/internet-governance/blog/the-potential-for-the-normative-regulation-of-cyberspace-implications-for-india
<b>Author: Arindrajit Basu
Edited by: Elonnai Hickok, Sunil Abraham and Udbhav Tiwari
Research Assistance: Tejas Bharadwaj</b>
<p style="text-align: justify; ">The standards of international law combined with strategic considerations drive a nation's approach to any norms formulation process. CIS has already produced work with the <a class="external-link" href="https://cyberstability.org/wp-content/uploads/2018/06/GCSC-Research-Advisory-Group-Issue-Brief-2-Bratislava-1.pdf">Research and Advisory Group (RAG)</a> of the Global Commission on the Stability of Cyberspace (GCSC), which looks at the negotiation processes and strategies that various players may adopt as they drive the cyber norms agenda.</p>
<p style="text-align: justify; ">This report focuses more extensively on the substantive law and principles at play and looks closely at what the global state of the debate means for India</p>
<p style="text-align: justify; ">With the cyber norms formulation efforts in a state of flux,India needs to advocate a coherent position that is in sync with the standards of international law while also furthering India's strategic agenda as a key player in the international arena.</p>
<p style="text-align: justify; ">This report seeks to draw on the works of scholars and practitioners, both in the field of cybersecurity and International Law to articulate a set of coherent positions on the four issues identified in this report. It also attempts to incorporate, where possible, state practice on thorny issues of International Law. The amount of state practice that may be cited differs with each state in question.</p>
<p style="text-align: justify; ">The report provides a bird’s eye-view of the available literature and applicable International Law in each of the briefs and identifies areas for further research, which would be useful for the norms process and in particular for policy-makers in India.Historically, India had used the standards of International Law to inform it's positions on various global regimes-such as UNCLOS and legitimize its position as a leader of alliances such as the Non-Aligned Movement and AALCO. However, of late, India has used international law far less in its approach to International Relations. This Report therefore explores how various debates on international law may be utilised by policy-makers when framing their position on various issues. Rather than creating original academic content,the aim of this report is to inform policy-makers and academics of the discourse on cyber norms.In order to make it easier to follow, each Brief is followed by a short summary highlighting the key aspects discussed in order to allow the reader to access the portion of the brief that he/she feels would be of most relevance. It does not advocate for specific stances but highlights the considerations that should be borne in mind when framing a stance.</p>
<p style="text-align: justify; ">The report focuses on four issues which may be of specific relevance for Indian policy-makers. The first brief, focuses on the Inherent Right of Self-Defense in cyberspace and its value for crafting a stable cyber deterrence regime. The second brief looks at the technical limits of attributability of cyber-attacks and hints at some of the legal and political solutions to these technical hurdles. The third brief looks at the non-proliferation of cyber weapons and the existing global governance framework which india could consider when framing its own strategy. The final brief looks at the legal regime on counter-measures and outlines the various grey zones in legal scholarship in this field. It also maps possible future areas of cooperation with the cyber sector on issues such as Active Cyber Defense and the legal framework that might be required if such cooperation were to become a reality.Each brief covers a broad array of literature and jurisprudence and attempts to explore various debates that exist both among international legal academics and the strategic community.</p>
<p style="text-align: justify; ">The ongoing global stalemate over cyber norms casts a grim shadow over the future of cyber-security. However, as seen with the emergence of the nuclear non-proliferation regime, it is not impossible for consensus to emerge in times of global tension. For India, in particular, this stalemate presents an opportunity to pick up the pieces and carve a leadership position for itself as a key norm entrepreneur in cyberspace.</p>
<hr />
<p style="text-align: justify; "><a class="external-link" href="https://cis-india.org/internet-governance/files/normative-regulation-of-cyber-space-report/at_download/file">Read the full report here</a></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-potential-for-the-normative-regulation-of-cyberspace-implications-for-india'>http://editors.cis-india.org/internet-governance/blog/the-potential-for-the-normative-regulation-of-cyberspace-implications-for-india</a>
</p>
No publisherpranavCyberspaceInternet Governance2018-07-31T23:49:47ZBlog EntryThe Centre for Internet and Society’s Comments and Recommendations to the: Indian Privacy Code, 2018 http://editors.cis-india.org/internet-governance/blog/the-centre-for-internet-and-society2019s-comments-and-recommendations-to-the-indian-privacy-code-2018
<b>The debate surrounding privacy has in recent times gained momentum due to the Aadhaar judgement and the growing concerns around the use of personal data by corporations and governments.</b>
<p>Click to download the <a class="external-link" href="http://cis-india.org/internet-governance/files/indian-privacy-code">file here</a></p>
<hr />
<p style="text-align: justify; ">As India moves towards greater digitization, and technology becomes even more pervasive, there is a need to ensure the privacy of the individual as well as hold the private and public sector accountable for the use of personal data. Towards enabling public discourse and furthering the development a privacy framework for India, a group of lawyers and policy analysts backed by the Internet Freedom Foundation (IFF) have put together a draft a citizen's bill encompassing a citizen centric privacy code that is based on seven guiding principles.<a href="#_ftn1"><sup><sup>[1]</sup></sup></a> This draft builds on the Citizens Privacy Bill, 2013 that had been drafted by CIS on the basis of a series of roundtables conducted in India.<a href="#_ftn2"><sup><sup>[2]</sup></sup></a> Privacy is one of the key areas of research at CIS and we welcome this initiative and hope that our comments make the Act a stronger embodiment of the right to privacy.</p>
<h1 style="text-align: justify; ">Section by Section Recommendations</h1>
<h2 style="text-align: justify; ">Preamble</h2>
<p style="text-align: justify; "><b>Comment:</b> The Preamble specifies that the need for privacy has increased in the digital age, with the emergence of big data analytics.</p>
<p style="text-align: justify; "><b>Recommendation:</b> It could instead be worded as ‘with the emergence of technologies such as big data analytics’, so as to recognize the impact of multiple technologies and processes including big data analytics.</p>
<p style="text-align: justify; "><b>Comment:</b> The Preamble states that it is necessary for good governance that all interceptions of communication and surveillance be conducted in a systematic and transparent manner subservient to the rule of law.</p>
<p style="text-align: justify; ">Recommendation: The word ‘systematic’ is out of place, and can be interpreted incorrectly. It could instead be replaced with words such as ‘necessary’, ‘proportionate’, ‘specific’, and ‘narrow’, which would be more appropriate in this context.</p>
<h2 style="text-align: justify; ">Chapter 1</h2>
<h2 style="text-align: justify; ">Preliminary</h2>
<p style="text-align: justify; "><b>Section 2: </b>This Section defines the terms used in the Act.</p>
<p style="text-align: justify; "><b>Comment:</b> Some of the terms are incomplete and a few of the terms used in the Act have not been included in the list of definitions.</p>
<p style="text-align: justify; "><b>Recommendations:</b></p>
<ul style="text-align: justify; ">
<li>The term “effective consent” needs to be defined. The term is first used in the Proviso to Section 7(2), which states “Provided that effective consent can only be said to have been obtained where...:”It is crucial that the Act defines effective consent especially when it is with respect to sensitive data.</li>
<li>The term “open data” needs to be defined. The term is first used in Section 5 that states the exemptions to the right to privacy. Subsection 1 clause ii states as follows “the collection, storage, processing or dissemination by a natural person of personal data for a strictly non-commercial purposes which may be classified as open data by the Privacy Commission”. Hence the term open data needs to be defined in order to ensure that there is no ambiguity in terms of what open data means.</li>
<li>The Act does not define “erasure”, although the term erasure does come under the definition of destroy (Section 2(1)(p)). There are some provisions that use the word erasure , hence if erasure and destruction mean different acts then the term erasure needs to be defined, otherwise in order to maintain uniformity the sections where erasure is used could be substituted with the term “destroy” as defined under this Act.</li>
<li>The definition of “sensitive personal data” does not include location data and identification numbers. The definition of sensitive data must include location data as the Act also deals in depth with surveillance. With respect to identification numbers, the Act needs to consider identification numbers (eg. the Aadhaar number, PAN number etc.) as sensitive information as this number is linked to a person's identity and can reveal sensitive personal data such as name, age, location, biometrics etc. Example can be taken from Section 4(1) of the GDPR<a href="#_ftn3"><sup><sup>[3]</sup></sup></a> which identifies location data as well as identification numbers as sensitive personal data along with other identifies such as biometric data, gender race etc.</li>
<li>The Act defines consent as the “unambiguous indication of a data subject’s agreement” however, the definition does not indicate that there needs to be an informed consent. Hence the revised definition could read as follows “the informed and unambiguous indication of a data subject’s agreement”. It is also unclear how this definition of consent relates to ‘effective consent’. This relationship needs to be clarified.</li>
<li>The Act defines ‘data controller’ in Section 2(1)(l) as “ any person including appropriate government..”. In order to remove any ambiguity over the definition of the term person, the definition could specify that the term person means any natural or legal person.</li>
<li>The Act defines ‘data processor’ in Section (2(1)(m) as “means any person including appropriate government”. In order to remove any ambiguity over the definition of the term ‘any person’, the definition could specify that the term person means any natural or legal person. </li>
</ul>
<h2 style="text-align: justify; ">CHAPTER II</h2>
<h2 style="text-align: justify; ">Right to Privacy</h2>
<p style="text-align: justify; "><b>Section 5: </b>This section provides exemption to the rights to privacy<b>. </b></p>
<p style="text-align: justify; "><b>Comment: </b>Section 5(1)(ii) states that the collection, storage, processing or dissemination by a natural person of personal data for a strictly non-commercial purposes are exempted from the provisions of the right to privacy. This clause also states that this data may be classified as open data by the Privacy Commission. This section hence provides individuals the immunity from collection, storage, processing and dissemination of data of another person. However this provision fails to state what specific activities qualify as non commercial use.</p>
<p style="text-align: justify; "><b>Recommendation: </b>This provision could potentially be strengthened by specifying that the use must be in the public interest. The other issue with this subsection is that it fails to define open data. If open data was to be examined using its common definition i.e “data that can be freely used, modified, and shared by anyone for any purpose”<a href="#_ftn4"><sup><sup>[4]</sup></sup></a> then this section becomes highly problematic. As a simple interpretation would mean that any personal data that is collected, stored, processed or disseminated by a natural person can possibly become available to anyone. Beyond this, India has an existing framework governing open data. Ideally the privacy commissioner could work closely with government departments to ensure that open data practices in India are in compliance with the privacy law.</p>
<h2 style="text-align: justify; ">CHAPTER III</h2>
<h2 style="text-align: justify; ">Protection of Personal Data</h2>
<h2 style="text-align: justify; ">PART A</h2>
<p style="text-align: justify; "><b>Notice by data controller </b></p>
<p style="text-align: justify; "><b>Section 6: </b>This section specifies the obligations to be followed by data controllers in their communication, to maintain transparency and lays down provisions that all communications by Data Controllers need to be complied with.</p>
<p style="text-align: justify; "><b>Comment:</b> There seems to be a error in the <i>Proviso </i>to this section. The proviso states “Provided that all communications by the Data Controllers including but not limited to the rights of Data Subjects under this part <b>shall may be </b>refused when the Data Controller is, unable to identify or has a well founded basis for reasonable doubts as to the identity of the Data Subject or are manifestly unfounded, excessive and repetitive, with respect to the information sought by the Data Subject ”.</p>
<p style="text-align: justify; "><b>Recommendation: </b>The proviso could read as follows “The proviso states “Provided that all communications by the Data Controllers including but not limited to the rights of Data Subjects under this part <b><i>may</i></b> be refused when the Data Controller is…”. We suggest the use of the ‘may’ as this makes the provision less limiting to the rights of the data controller.</p>
<p style="text-align: justify; ">Additionally, it is not completely clear what ‘included but not limited to...’ would entail. This could be clarified further.</p>
<h2 style="text-align: justify; ">PART B</h2>
<h2 style="text-align: justify; ">CONSENT OF DATA SUBJECTS</h2>
<p style="text-align: justify; "><b>Section 10: </b>This section talks about the collection of personal data.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 10(3) lays down the information that a person must provide before collecting the personal data of an individual.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 10(3)(xi) states as follows “the time and manner in which it will be destroyed, or the criteria used to Personal data collected in pursuance of a grant of consent by the data subject to whom it pertains shall, if that consent is subsequently withdrawn for any reason, be destroyed forthwith: determine that time period;”. There seems to be a problem with the sentence construction and the rather complex sentence is difficult to understand.</p>
<p style="text-align: justify; "><b>Recommendation:</b> This section could be reworked in such as way that two conditions are clear, one - the time and manner in which the data will be destroyed and two the status of the data once consent is withdrawn.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 10(3)(xiii) states that the identity and contact details of the data controller and data processor must be provided. However it fails to state that the data controller should provide more details with regard to the process for grievance redressal. It does not provide guidance on what type of information needs to go into this notice and the process of redressal. This could lead to very broad disclosures about the existence of redress mechanisms without providing individuals an effective avenue to pursue.</p>
<p style="text-align: justify; "><b>Recommendation: </b>As part of the requirement for providing the procedure for redress, data controllers could specifically be required to provide the details of the Privacy Officers, privacy commissioner, as well as provide more information on the redressal mechanisms and the process necessary to follow.</p>
<p style="text-align: justify; "><b>Section 11:</b>This section lays out the provisions where collection of personal data without prior consent is possible.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 11 states “Personal data may be collected or received from a third party by a Data Controller the prior consent of the data subject only if it is:..”. However as the title of the section suggests the sentence could indicate the situations where it is permissible to collect personal data without prior consent from the data subject”. Hence the word “without” is missing from the sentence. Additionally the sentence could state that the personal data may be collected or received directly from an individual or from a third party as it is possible to directly collect personal data from an individual without consent.</p>
<p style="text-align: justify; "><b>Recommendation:</b>The sentence could read as “Personal data may be collected or received from an <b>individual or a third party </b>by a Data Controller <b><i>without</i></b> the prior consent of the data subject only if it is:..”.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 11(1)(i) states that the collection of personal data without prior consent when it is “necessary for the provision of an emergency medical service or essential services”. However it does not specify the kind or severity of the medical emergency.</p>
<p style="text-align: justify; "><b>Recommendation: </b>In addition to medical emergency another exception could be made for imminent threats to life.</p>
<p style="text-align: justify; "><b>Section 12: </b>This section details the Special provisions in respect of data collected prior to the commencement of this Act.</p>
<p style="text-align: justify; "><b>Comment:</b> This section states that all data collected, processed and stored by data controllers and data processors prior to the date on which this Act comes into force shall be destroyed within a period of two years from the date on which this Act comes into force. Unless consent is obtained afresh within two years or that the personal data has been anonymised in such a manner to make re-identification of the data subject absolutely impossible. However this process can be highly difficult and impractical in terms of it being time consuming, expensive particularly, in cases of analog collections of data. This is especially problematic in cases where the controller cannot seek consent of the data subject due to change in address or inavailability or death. This will also be problematic in cases of digitized government records.</p>
<p style="text-align: justify; "><b>Recommendation:</b> We suggest three ways in which the issue of data collected prior to the Act can be handled. One way is to make a distinction on the data based on whether the data controller has specified the purpose of the collection before collecting the data. If the purpose was not defined then the data can be deleted or anonymised. Hence there is no need to collect the data afresh for all the cases. The purpose of the data can also be intimated to the data subject at a later stage and the data subject can choose if they would like the controller to store or process the data.The second way is by seeking consent afresh only for the sensitive data. Lastly, the data controller could be permitted to retain records of data, but must necessarily obtain fresh consent before using them. By not having a blanket provision of retrospective data deletion the Act can address situations where deletion is complicated or might have a potential negative impact by allowing storage, deletion, or anonymisation of data based on its purpose and kind.</p>
<p style="text-align: justify; "><b>Comment:</b> Section (2)(1)(i) of the Act states that the data will not be destroyed provided that <b>effective consent</b> is obtained afresh within two years. However as stated earlier the Act does not define effective consent.</p>
<p style="text-align: justify; ">Recommendation: The term <b>effective consent </b>needs to be defined in order to bring clarity to this provision.</p>
<h2 style="text-align: justify; ">PART C</h2>
<h2 style="text-align: justify; ">FURTHER LIMITATIONS ON DATA CONTROLLERS</h2>
<p style="text-align: justify; "><b>Section 16: </b>This section deals with the security of personal data and duty of confidentiality.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 16(2) states “ Any person who collects, receives, stores, processes or otherwise handles any personal data shall be subject to a duty of confidentiality and secrecy in respect of it.” Similarly Section 16(3) states “data controllers and data processors shall be subject to a duty of confidentiality and secrecy in respect of personal data in their possession or control. However apart from the duty of confidentiality and secrecy the data collectors and processors could also have a duty to maintain the security of the data.” Though it is important for confidentiality and secrecy to be maintained, ensuring security requires adequate and effective technical controls to be in place.</p>
<p style="text-align: justify; "><b>Recommendation:</b> This section could also emphasise on the duty of the data controllers to ensure the security of the data. The breach notification could include details about data that is impacted by a breach or attach as well as the technical details of the infrastructure compromised.</p>
<p style="text-align: justify; "><b>Section 17:</b> This section details the conditions for the transfer of personal data outside the territory of India.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 17 allows a transfer of personal data outside the territory of India in 3 situations- If the Central Government issues a notification deciding that the country/international organization in question can ensure an adequate level of protection, compatible with privacy principles contained in this Act; if the transfer is pursuant to an agreement which binds the recipient of the data to similar or stronger conditions in relation to handling the data; or if there are appropriate legal instruments and safeguards in place, to the satisfaction of the data controller. However, there is no clarification for what would constitute ‘adequate’ or ‘appropriate’ protection, and it does not account for situations in which the Government has not yet notified a country/organisation as ensuring adequate protection. In comparison, the GDPR, in Chapter V<a href="#_ftn5"><sup><sup>[5]</sup></sup></a>, contains factors that must be considered when determining adequacy of protection, including relevant legislation and data protection rules, the existence of independent supervisory authorities, and international commitments or obligations of the country/organization. Additionally, the GDPR allows data transfer even in the absence of the determination of such protection in certain instances, including the use of standard data protection clauses, that have been adopted or approved by the Commission; legally binding instruments between public authorities; approved code of conduct, etc. Additionally, it allows derogations from these measures in certain situations: when the data subject expressly agrees, despite being informed of the risks; or if the transfer is necessary for conclusion of contract between data subject and controller, or controller and third party in the interest of data subject; or if the transfer is necessary for reasons of public interest, etc. No such circumstances are accounted for in Section 17.</p>
<p style="text-align: justify; "><b>Recommendation: </b>Additionally, data controllers and processors could be provided with a period to allow them to align their policies towards the new legislation. Making these provisions operational as soon as the Act is commenced might put the controllers or processors guilty of involuntary breaching the provisions of the Act.</p>
<p style="text-align: justify; "><b>Section 19: </b>This section<b> </b>states the special provisions for sensitive personal data.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 19(2) states that in addition to the requirements set out under sub-clause (1), the Privacy Commission shall set out additional protections in respect of:i.sensitive personal data relating to data subjects who are minors; ii.biometric and deoxyribonucleic acid data; and iii.financial and credit data.This however creates additional categories of sensitive data apart from the ones that have already been created.<a href="#_ftn6"><sup><sup>[6]</sup></sup></a> These additional categories can result in confusion and errors.</p>
<p style="text-align: justify; "><b>Recommendation: </b>Sensitive data must not be further categorised as this can lead to confusion and errors. Hence all sensitive data could be subject to the same level of protection.</p>
<p style="text-align: justify; "><b>Section 20:</b> This section states the special provisions for data impact assessment.</p>
<p style="text-align: justify; "><b>Comment:</b> This section states that all data impact assessment reports will be submitted periodically to the State Privacy commission. This section does not make provisions for instances of circumstances in which such records may be made public. Additionally the data impact assessment could also include a human rights impact assessment.</p>
<p style="text-align: justify; "><b>Recommendation:</b> The section could also have provisions for making the records of the impact assessment or relevant parts of the assessment public. This will ensure that the data controllers / processors are subjected to a standard of accountability and transparency. Additionally as privacy is linked to human rights the data impact assessment could also include a human rights impact assessment. The Act could further clarify the process for submission to State Privacy Commissions and potential access by the Central Privacy Commission to provide clarity in process.</p>
<p style="text-align: justify; ">Section 20 requires controllers who use new technology to assess the risks to the data protection rights that occur from processing. ‘New technology’ is defined to include pre-existing technology that is used anew. Additionally, the reports are required to be sent to the State Privacy Commission periodically. However, there is no clarification on the situations in which such an assessment becomes necessary, or whether all technology must undergo such an assessment before their use. Additionally, the differentiation between different data processing activities based on whether the data processing is incidental or a part of the functioning needs to be clarified. This differentiation is necessary as there are some data processors and controllers who need the data to function; for instance an ecommerce site would require your name and address to deliver the goods, although these sites do not process the data to make decisions. This can be compared to a credit rating agency that is using the data to make decisions as to who will be given a loan based on their creditworthiness. Example can taken from the GDPR, which in Article 35, specifies instances in which a data impact assessment is necessary: where a new technology, that is likely to result in a high risk to the rights of persons, is used; where personal aspects related to natural persons are processed automatically, including profiling; where processing of special categories of data (including data revealing ethnic/racial origin, sexual orientation etc), biometric/genetic data; where data relating to criminal convictions is processed; and with data concerning the monitoring of publicly accessible areas. Additionally, there is no requirement to publish the report, or send it to the supervising authority, but the controller is required to review the processor’s operations to ensure its compliance with the assessment report.</p>
<p style="text-align: justify; "><b>Recommendation:</b> The reports could be sent to a central authority, which according to this Act is the Privacy Commission, along with the State Privacy Commission. Additionally there needs to be a differentiation between the incidental and express use of data. The data processors must be given at least a period of one year after the commencement of the Act to present their impact assessment report. This period is required for the processors to align themselves with the provisions of the Act as well as conduct capacity building initiatives.</p>
<h2 style="text-align: justify; ">PART C</h2>
<h2 style="text-align: justify; ">RIGHTS OF A DATA SUBJECT</h2>
<p style="text-align: justify; "><b>Section 21: </b>This section explains the right of the data subject with regard to accessing her data. It states that the data subject has the right to obtain from the data controller information as to whether any personal data concerning her is collected or processed. The data controller also has to not only provide access to such information but also the personal data that has been collected or processed.</p>
<p style="text-align: justify; "><b>Comment:</b> This section does not provide the data subject the right to seek information about security breaches.</p>
<p style="text-align: justify; "><b>Recommendation: </b>This section could state that the data subject has the right to seek information about any security breaches that might have compromised her data (through theft, loss, leaks etc.). This could also include steps taken by the data controller to address the immediate breach as well as steps to minimise the occurrence of such breaches in the future.<a href="#_ftn7"><sup><sup>[7]</sup></sup></a></p>
<h2 style="text-align: justify; ">CHAPTER IV</h2>
<h2 style="text-align: justify; ">INTERCEPTION AND SURVEILLANCE</h2>
<p style="text-align: justify; "><b>Section 28: </b>This section lists out the special provisions for competent organizations.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 28(1) states ”all provisions of Chapter III shall apply to personal data collected, processed, stored, transferred or disclosed by competent organizations unless when done as per the provisions under this chapter ”.This does not make provisions for other categories of data such as sensitive data.</p>
<p style="text-align: justify; "><b>Recommendation:</b> This section needs to include not just personal data but also sensitive data, in order to ensure that all types of data are protected under this Act.</p>
<p style="text-align: justify; "><b>Section 30:</b> This section states the provisions for prior authorisation by the appropriate Surveillance and Interception Review Tribunal.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 30(5) states “any interception involving the infringement of the privacy of individuals who are not the subject of the intended interception, or where communications relate to <b>medical, journalistic, parliamentary or legally privileged material</b> may be involved, shall satisfy additional conditions including the provision of specific prior justification in writing to the Office for Surveillance Reform of the Privacy Commission as to the necessity for the interception and the safeguards providing for minimizing the material intercepted to the greatest extent possible and the destruction of all such material that is not strictly necessary to the purpose of the interception.” This section needs to state why these categories of communication are more sensitive than others. Additionally, interceptions typically target people and not topics of communication - thus medical may be part of a conversation between two construction workers and a doctor will communicate about finances.</p>
<p style="text-align: justify; "><b>Recommendation:</b> The section could instead of singling out “medical, journalistic, parliamentary or legally privileged material” state that “any interception involving the infringement of the privacy of individuals who are not the subject of the intended interception may be involved, shall satisfy additional conditions including the provision of specific prior justification in writing to the Office for Surveillance Reform of the Privacy Commission.</p>
<p style="text-align: justify; "><b>Section 37</b>: This section details the bar against surveillance.</p>
<p style="text-align: justify; "><b>Comment: </b>Section 37(1) states that “no person shall order or carry out, or cause or assist the ordering or carrying out of, any surveillance of another person”. The section also prohibits indiscriminate monitoring, or mass surveillance, unless it is necessary and proportionate to the stated purpose. However, it is unclear whether this prohibits surveillance by a resident of their own residential property, which is allowed in Section 5, as the same could also fall within ‘indiscriminate monitoring/mass surveillance’. For instance, in the case of a camera installed in a residential property, which is outward facing, and therefore captures footage of the road/public space.</p>
<p style="text-align: justify; "><b>Recommendation:</b> The Act needs to bring more clarity with regard to surveillance especially with respect to CCTV cameras that are installed in private places, but record public spaces such as public roads. The Act could have provisions that clearly define the use of CCTV cameras in order to ensure that cameras installed in private spaces are not used for carrying out mass surveillance. Further, the Act could address the use of emerging techniques and technology such as facial recognition technologies, that often rely on publicly available data.</p>
<h2 style="text-align: justify; ">CHAPTER V</h2>
<h2 style="text-align: justify; ">THE PRIVACY COMMISSION</h2>
<p style="text-align: justify; "><b>Section 53:</b> This section details the powers and functions of the Privacy Commission.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 53(2)(xiv) states that the Privacy Commission shall publish periodic reports “providing description of performance, findings, conclusions or recommendations of any or all of the functions assigned to the Privacy Commission”. However this Section does not make provisions for such reporting to happen annually and to make them publicly available, as well as contain details including financial aspects of matters contained within the Act.</p>
<p style="text-align: justify; "><b>Recommendation: </b>The functions could include a duty to disclose the information regarding the functioning and financial aspects of matters contained within the Act. Categories that could be included in such reports include: the number of data controllers, number of data processors, number of breaches detected and mitigated etc.</p>
<h2 style="text-align: justify; ">CHAPTER IX</h2>
<h2 style="text-align: justify; ">OFFENCES AND PENALTIES</h2>
<p style="text-align: justify; "><b> Sections 73 to 80:</b> These sections lay out the different punishments for controlling and processing data in contravention to the provisions of this Act.</p>
<p style="text-align: justify; "><b>Comment:</b> These sections, while laying out different punishments for controlling and processing data in contravention to the provisions of this Act, mets out a fine extending upto Rs. 10 crore. This is problematic as it does not base these penalties on the finer aspects of proportionality, such as offences that are not as serious as the others.<br /> <br /> <b>Recommendation:</b> There could be a graded approach to the penalties based on the degree of severity of the offence.This could be in the form of name and shame, warnings and penalties that can be graded based on the degree of the offence. <br /> ----------------------------------------------------------------------</p>
<p style="text-align: justify; ">Additional thoughts: As India moves to a digital future there is a need for laws to be in place to ensure that individual's rights are not violated. By riding on the push to digitization, and emerging technologies such as AI, a strong all encompassing privacy legislation can allow India to leapfrog and use these emerging technologies for the benefit of the citizens without violating their privacy. A robust legislation can also ensure a level playing field for data driven enterprises within a framework of openness, fairness, accountability and transparency.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; "><a href="#_ftnref1"><sup><sup>[1]</sup></sup></a> These seven principles include: Right to Access, Right to Rectification, Right to Erasure And Destruction of Personal Data,Right to Restriction Of Processing, Right to Object, Right to Portability of Personal Data,Right to Seek Exemption from Automated Decision-Making.</p>
<p style="text-align: justify; "><a href="#_ftnref2"><sup><sup>[2]</sup></sup></a>The Privacy (Protection) Bill 2013: A Citizen’s Draft, Bhairav Acharya, Centre for Internet &amp; Society, https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-citizens-draft</p>
<p style="text-align: justify; "><a href="#_ftnref3"><sup><sup>[3]</sup></sup></a>General Data Protection Regulation, available at https://gdpr-info.eu/art-4-gdpr/.</p>
<p style="text-align: justify; "><a href="#_ftnref4"><sup><sup>[4]</sup></sup></a> Antonio Vetro, Open Data Quality Measurement Framework: Definition and Application to Open Government Data, available at https://www.sciencedirect.com/science/article/pii/S0740624X16300132</p>
<p style="text-align: justify; "><a href="#_ftnref5"><sup><sup>[5]</sup></sup></a> General Data Protection Regulation, available at https://gdpr-info.eu/chapter-5/.</p>
<p style="text-align: justify; "><a href="#_ftnref6"><sup><sup>[6]</sup></sup></a> Sensitive personal data under Section 2(bb) includes, biometric data; deoxyribonucleic acid data;<br /> sexual preferences and practices;medical history and health information;political affiliation;<br /> membership of a political, cultural, social organisations including but not limited to a trade union as defined under Section 2(h) of the Trade Union Act, 1926;ethnicity, religion, race or caste; and<br /> financial and credit information, including financial history and transactions.</p>
<p style="text-align: justify; "><a href="#_ftnref7"><sup><sup>[7]</sup></sup></a> Submission to the Committee of Experts on a Data Protection Framework for India, Amber Sinha, Centre for Internet &amp; Society, available at https://cis-india.org/internet-governance/files/data-protection-submission</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-centre-for-internet-and-society2019s-comments-and-recommendations-to-the-indian-privacy-code-2018'>http://editors.cis-india.org/internet-governance/blog/the-centre-for-internet-and-society2019s-comments-and-recommendations-to-the-indian-privacy-code-2018</a>
</p>
No publisherShweta Mohandas, Elonnai Hickok, Amber Sinha and Shruti TrikanandAadhaarInternet GovernancePrivacy2018-07-20T13:55:46ZBlog EntryDIDP #31 Diversity of employees at ICANNhttp://editors.cis-india.org/internet-governance/blog/didp-31-diversity-of-employees-at-icann
<b>We have requested ICANN to disclose information pertaining to the diversity of employees based race and citizenship.</b>
<p style="text-align: justify; ">This data is being requested to verify ICANN’s claim of being an equal opportunities employer. ICANN’s employee handbook states that they “...provide equal opportunities and are committed to the principle of equality regardless of race, colour, ethnic or national origin, religious belief, political opinion or affiliation, sex, marital status, sexual orientation, gender reassignment, age or disability.” The data on the diversity of employees based on race and nationality of their employees will depict how much they have stuck to their commitment to delivering equal opportunities to personnel in ICANN and potential employees.</p>
<p style="text-align: justify; ">The request filed by CIS can be <a class="external-link" href="http://cis-india.org/internet-governance/files/didp-request">accessed here</a></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/didp-31-diversity-of-employees-at-icann'>http://editors.cis-india.org/internet-governance/blog/didp-31-diversity-of-employees-at-icann</a>
</p>
No publisherAkash SriramFreedom of Speech and ExpressionICANNInternet Governance2018-07-19T14:52:56ZBlog EntryCIS submitted a response to a Notice of Enquiry by the US Government on International Internet Policy Prioritieshttp://editors.cis-india.org/internet-governance/blog/cis-submitted-a-response-to-a-notice-of-enquiry-by-the-us-government-on-international-internet-policy-priorities
<b>The Centre for Internet and Society drafted a response to a Notice of Inquiry (NOI) issued by the U.S. Commerce Department's National Telecommunications and Information Administration (NTIA) on "International Internet Policy Priorities." </b>
<p style="text-align: justify;">The notice was based on different areas
and we commented on following three areas; The Free Flow of Information
and Jurisdiction, The Multi-stakeholder Approach to Internet Governance,
Privacy and Security. The submission made by Swagam Dasgupta was edited
by Akriti Bopanna. <strong><a class="external-link" href="http://cis-india.org/internet-governance/files/comments-on-internet-priorities">Read the submission here</a>.</strong></p>
<hr />
<p style="text-align: justify;">The submission broadly covered the following aspects:</p>
<h3 style="text-align: justify;">The Free Flow of Information and Jurisdiction</h3>
<ul style="text-align: justify;"><li>What are the challenges to the free flow of information online?</li><li>Which foreign laws and policies restrict the free flow of
information online? What is the impact on U.S companies and users in
general?</li><li>Have courts in other countries issued internet-related judgments
that apply national laws to the global internet? What have the effects
been on users?</li><li>What are the challenges to freedom of expression online?</li><li>What should be the role of all stakeholders globally—governments,
companies, technical experts, civil society and end users — in ensuring
free expression online?</li><li>What role can NTIA play in helping to reduce restrictions on the
free flow of information over the internet and ensuring free expression
online?</li><li>In which international organizations or venues might NTIA most
effectively advocate for the free flow of information and freedom of
expression? What specific actions should NTIA and the U.S. Government
take?</li></ul>
<h3 style="text-align: justify;">Multistakeholder Approach to Internet Governance</h3>
<ul style="text-align: justify;"><li>Does the multistakeholder approach continue to support an
environment for the internet to grow and thrive? If so, why? If not, why
not?</li><li>Are there public policy areas in which the multistakeholder approach
works best? If yes, what are those areas and why? Are there areas in
which the multistakeholder approach does not work effectively? If there
are, what are those areas and why?</li><li>Should the IANA Stewardship Transition be unwound? If yes, why and how? If not, why not?</li><li>What should be NTIA’s priorities within ICANN and the GAC?</li><li>Are there barriers to engagement at the IGF? If so, how can we lower these barriers?</li><li>Are there improvements that can be made to the IGF’s structure?</li></ul>
<h3 style="text-align: justify;">Privacy and Security</h3>
<ul style="text-align: justify;"><li>In what ways are cybersecurity threats harming international
commerce? In what ways are the responses to those threats harming
international commerce?</li></ul>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/cis-submitted-a-response-to-a-notice-of-enquiry-by-the-us-government-on-international-internet-policy-priorities'>http://editors.cis-india.org/internet-governance/blog/cis-submitted-a-response-to-a-notice-of-enquiry-by-the-us-government-on-international-internet-policy-priorities</a>
</p>
No publisherSwagam DasguptaInternet GovernancePrivacy2018-07-18T17:10:53ZBlog EntryICANN Diversity Analysis http://editors.cis-india.org/internet-governance/blog/icann-diversity-analysis
<b>The Centre for Internet & Society (CIS) carried out an analysis of the diversity of participation at the ICANN processes by taking a close look at their mailing lists. </b>
<p style="text-align: justify; ">The by-laws of The Internet Corporation for Assigned Names and Numbers (ICANN) state that it is a non-profit public-benefit corporation which is responsible at the overall level, for the coordination of the “global internet's systems of unique identifiers, and in particular to ensure the stable and secure operation of the internet's unique identifier systems”.<a href="#_ftn1"><sup><sup>[1]</sup></sup></a>Previously, this was overseen by the Internet Assigned Number Authority (IANA) under a US Government contract but in 2016, the oversight was handed over to ICANN, as a global multi-stakeholder body.<a href="#_ftn2"><sup><sup>[2]</sup></sup></a> Given the significance of the multistakeholder nature of ICANN, it is imperative that stakeholders continue to question and improve the inclusiveness of its processes. The current blog post seeks to focus on the diversity of participation at the ICANN process.</p>
<p style="text-align: justify; ">As stakeholders are spread across the world, much of the communication discussing the work of ICANN takes place over email. Various [or X number of ] mailing lists inform members of ICANN activities and are used for discussions between them from policy advice to organizational building matters. Many of these lists are public and hence can be subscribed to by anyone and also can be viewed by non-members through the archives.</p>
<p>CIS analysed the five most active mailing lists amongst the working group mailing lists from January 2016 to May 2018, namely:</p>
<p>Outreach &amp; Engagement,</p>
<p>Technology,</p>
<p>At-Large Review 2015 - 2019,</p>
<p>IANA Transition &amp; ICANN Accountability, and</p>
<p>Finance &amp; Budget mailing lists.</p>
<p style="text-align: justify; ">We looked at the diversity among these active participants by focusing on their gender, stakeholder grouping and region. In order to arrive at the data, we referred to public records such as the Statement of Interests which members have to give to the Generic Names Supporting Organization(GNSO) Council if they want to participate in their working groups. We also used, where available, ICANN Wiki and the LinkedIn profiles of these participants. Given below are some of the observations we made subsequent to surveying the data. We acknowledge that there might be some inadvertent errors made in the categorization of these participants, but are of the opinion that our inference from the data would not be drastically affected by a few errors. The following findings were observed:</p>
<ul>
<li>A total of 218 participants were present on the 5 mailing lists that were looked at.</li>
<li style="text-align: justify; ">Of these,, 92 were determined to be active participants (participants who had sent more than the median number of mails in their working group) out of which 75 were non-staff members. </li>
</ul>
<p>Among the active non-staff participants:</p>
<ul>
<li>Out of the 75 participants, <b>56</b> (<b>74.7%</b>) were male and <b>19</b> (<b>25.3%</b>) were female.<br /><img src="http://editors.cis-india.org/home-images/Gender.png" alt="Gender" class="image-inline" title="Gender" /><br /><br /><img src="http://editors.cis-india.org/home-images/StakeholderGroup.png" alt="Stakeholder Group" class="image-inline" title="Stakeholder Group" /></li>
<li style="text-align: justify; "><b>57.3%</b> were identified to be members of the industry and technological community and 1.3% were identified as government representatives. 8.0% were representatives from Academia, 25.3% represented civil society and the remaining 8.0% were from fields that were uncategorizable with respect to the above, but were related to law and consultancy.<br /><img src="http://editors.cis-india.org/home-images/Region.png" alt="Region" class="image-inline" title="Region" /></li>
<li style="text-align: justify; ">Only 14.7% of the participants were from Asia while the majority belonged to Africa and then North America with 24% and 22.7% participation respectively</li>
<li style="text-align: justify; ">Within Asia, we identified only one active participant from China.</li>
</ul>
<h3>Concerns</h3>
<ul>
<li>The vast number of the people participating and as an extension, influencing ICANN work are male constituting three fourth of the participants.</li>
<li style="text-align: justify; ">The mailing list are dominated by individuals from industry.. This coupled with the relative minority presence of the other stakeholders creates an environment where concerns emanating from other sections of the society could be overshadowed.</li>
<li>Only 14.7% of the participants were from Asia, which is concerning since 48.7% of internet users worldwide belong to Asia.<a href="#_ftn1"><sup><sup>[3]</sup></sup></a></li>
<li>China which has the world’s largest population of internet users (700 million people)<a href="#_ftn2"><sup><sup>[4]</sup></sup></a> had only one active participant on these mailing lists.</li>
</ul>
<p style="text-align: justify; ">ICANN being a global multistakeholder organization should ideally have the number of representatives from each region be proportionate to the number of internet users in that region. In addition to this, participation of women on these mailing lists need to increase to ensure that there is inclusive contribution in the functioning of the organization. We did not come across any indication of participation of individuals of non binary genders.</p>
<hr align="left" size="1" width="100%" />
<p><a href="#_ftnref1"><sup><sup>[1]</sup></sup></a> https://cis-india.org/telecom/knowledge-repository-on-internet-access/icann</p>
<p><a href="#_ftnref2"><sup><sup>[2]</sup></sup></a> https://www.icann.org/news/announcement-2016-10-01-en</p>
<p><a href="#_ftnref3"><sup><sup>[3]</sup></sup></a> https://www.internetworldstats.com/stats.htm</p>
<p><a href="#_ftnref4"><sup><sup>[4]</sup></sup></a> https://www.internetworldstats.com/stats3.htm</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/icann-diversity-analysis'>http://editors.cis-india.org/internet-governance/blog/icann-diversity-analysis</a>
</p>
No publisherPaul Kurian and Akriti BopannaICANNFeaturedHomepageInternet Governance2018-07-17T01:00:27ZBlog EntryCIS contributes to the Research and Advisory Group of the Global Commission on the Stability of Cyberspace (GCSC)http://editors.cis-india.org/internet-governance/blog/cis-contributes-to-the-research-and-advisory-group-of-the-global-commission-on-the-stability-of-cyberspace-gcsc
<b>The Global Commission on the Stability of Cyberspace (GCSC) is an initiative of the Hague Centre for Strategic Studies and the East West Institute that seeks to promote mutual awareness and understanding among various cyberspace communities. It seeks to develop norms and policies that advance the stability and security of cyberspace.</b>
<p style="text-align: justify; ">Chaired by Marina Kaljurand, and Co-Chaired by Michael Chertoff and Latha Reddy, the Commission comprises 26 prominent Commissioners who are experts hailing from a wide range of geographic regions representing multiple communities including academia industry, government, technical and civil society.</p>
<p style="text-align: justify; ">As a part of their efforts, the GCSC sent out a call for proposals for papers that sought to analyze and advance various aspects of the cyber norms debate.</p>
<p style="text-align: justify; ">Elonnai Hickok and Arindrajit Basu’s paper ‘ Conceptualizing an International Security Architecture for Cyberspace’ was selected by the Commissioners and published as a part of the Briefings of the Research and Advisory Group.</p>
<p style="text-align: justify; ">Arindrajit Basu represented CIS at the Cyberstability Hearings held by the GCSC at the sidelines of the <a href="https://www.globsec.org/projects/globsec-2018/">GLOBSEC forum </a>in Bratislava-a multilateral conference seeking to advance dialogue on various issues of international peace and security.</p>
<p style="text-align: justify; ">The published paper and the Power Point may be accessed <a href="https://cyberstability.org/research/issue-brief-2-bratislava/">here.</a></p>
<p style="text-align: justify; ">The agenda for the hearings is reproduced below</p>
<p style="text-align: justify; ">GCSC HEARINGS, 19 MAY 2018</p>
<p style="text-align: justify; ">HEARINGS: TOWARDS INTERNATIONAL CYBERSTABILITY</p>
<p style="text-align: justify; ">Venue: “Habsburg” room, Grand Hotel River Park 15:00-15:15</p>
<p style="text-align: justify; ">Welcome Remarks by Marina Kaljurand, Chair of the Global Commission on the Stability of Cyberspace (GCSC) and former Foreign Minister of Estonia 15:15-16:45</p>
<p style="text-align: justify; ">Hearing I: Expert Hearing</p>
<p style="text-align: justify; "><i>This session focuses on the topic Cyberstability and the International Peace and Security Architecture and includes scene settings, food-for-thought presentations on the new GCSC commissioned research, briefings and open statements by government and nongovernmental</i> speakers.</p>
<p style="text-align: justify; ">“Scene setting: ”Cyber Diplomacy in Transition” by Carl Bildt, former Prime Minister of Sweden</p>
<p style="text-align: justify; ">“Commissioned Research I: Lessons learned from three historical case studies on establishing international norms” by Arindrajit Basu, Centre for Internet and Society, India</p>
<p style="text-align: justify; ">Commission Research II: The “pre-normative” framework and options for cyber diplomacy” by Elana Broitman, New America Foundation</p>
<p style="text-align: justify; ">“Some Remarks on current thinking within the United Nations”, by Renata Dwan, Director United Nations Institute for Disarmament Research (UNIDIR) (Registered Statements by Government Advisors) (Statements by other experts)</p>
<p style="text-align: justify; ">(Open floor discussion) 16:45-17:15</p>
<p style="text-align: justify; ">Coffee Break</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/cis-contributes-to-the-research-and-advisory-group-of-the-global-commission-on-the-stability-of-cyberspace-gcsc'>http://editors.cis-india.org/internet-governance/blog/cis-contributes-to-the-research-and-advisory-group-of-the-global-commission-on-the-stability-of-cyberspace-gcsc</a>
</p>
No publisherArindrajit BasuCyber SecurityInternet GovernanceCyberspace2018-07-05T16:00:02ZBlog Entry